How does iptables hashlimit module work?

Hashlimit is an iptables module that allows one to define rules that in effect will limit traffic speed (bytes / time unit) or frequency (connections / time unit) per target or origin ports / IPs. The inner workings of this module and / or how to make it work correctly remains a mystery for many.

Hashlimit is also close friends with the limit module, only much more powerful, capable of expressing rate limiting per source IP (for example) in a single rule.

Source: Stuff I do: How does iptables hashlimit module work?

Fault Tolerant Router

Fault Tolerant Router is a daemon, running in background on a Linux router or firewall, monitoring the state of multiple internet uplinks/providers and changing the routing accordingly. LAN/DMZ internet traffic (outgoing connections) is load balanced between the uplinks using Linux multipath routing. The daemon monitors the state of the uplinks by routinely pinging well known IP addresses (Google public DNS servers, etc.) through each outgoing interface: once an uplink goes down, it is excluded from the multipath routing, when it comes back up, it is included again. All of the routing changes are notified to the administrator by email.

via  Fault Tolerant Router

netfilter/iptables project homepage

nftables is the project that aims to replace the existing {ip,ip6,arp,eb}tables framework. Basically, this project provides a new packet filtering framework, a new userspace utility and also a compatibility layer for {ip,ip6}tables. nftables is built upon the building blocks of the Netfilter infrastructure such as the existing hooks, the connection tracking system, the userspace queueing component and the logging subsystem.

via netfilter/iptables project homepage – The “nftables” project.

From: Nftables: a new packet filtering engine

Packet filtering and firewalling has a long history in Linux. The first filtering mechanism, called “ipfwadm,” was released in 1995 for the 1.2.1 kernel. This code was used until the 2.2.0 stable release (January, 1999), when the new “ipchains” module took over. While ipchains was useful, it only lasted until 2.4.0 (January, 2001), when it, too, was replaced by iptables/netfilter, which remains in the kernel now. If netfilter maintainer Patrick McHardy has his way, though, iptables, too, will be gone in the future, replaced by yet another mechanism called “nftables.” This article will give an overview of how nftables works, followed by a discussion of the motivations behind this change.

Using iptables and PHP to create a captive portal

There are various captive portal software packages available (both free and open source) that will allow you to setup an internet access facility that people have to logon to first. None of the packages I tried did what I wanted and they were not particularly customisable. Therefore I created my own, using a few iptables rules and PHP (along with a handful of other standard packages). This page details the steps that were taken. The key to this method as opposed to other iptables based solutions is that tracking information is removed after the user has signed up. Failure to do this will sometimes cause the user to still be redirected to your logon page even after they have signed up.

via Using iptables and PHP to create a captive portal – Andywiki.

Captive portals allow for a splash screen to be delivered to a user upon entering an open network such as free wifi hotspots at various establishments.  This portal typically shows terms of service and displays some branding.  The user hits OK and then they’re free to use the network.  I find this burdensome but in the world of branding and advertising I can understand why places may want this.  I found the above iptables only solution with some PHP interesting.  Here’s another site.

For Squid users it appears to be even easier by only requiring some configuration changes.  See  Portal Splash Pages for more information.

Welcome to DenyHosts

DenyHosts is a script intended to be run by Linux system administrators to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks).

If you’ve ever looked at your ssh log (/var/log/secure on Redhat, /var/log/auth.log on Mandrake, etc…) you may be alarmed to see how many hackers attempted to gain access to your server. Hopefully, none of them were successful (but then again, how would you know?). Wouldn’t it be better to automatically prevent that attacker from continuing to gain entry into your system?

via Welcome to DenyHosts.

Not me.  If I let ssh into the network I only allow it for the IP address I’m going to be accessing the network from.  These brute force attacks are annoying.  This little app may prove useful.  Will look into this.

Mass-blocking IP addresses with ipset

It has been shown, the hash approach as implemented by ipset clearly beats traditional mass-rule-blocking. It extends netfilter in a very useful way by decreasing the average response time. In the average over all samples made, IP sets are over 11 times faster. To conclude, let me show you another plot, this time I compared the ipset and iptables approaches within the same graph. The yellow bar shows ipset delays, the red bar does so for iptables.

via Mass-blocking IP addresses with ipset » daemonkeeper’s purgatory.

20 Iptables Examples For New SysAdmins

This Linux based firewall is controlled by the program called iptables to handles filtering for IPv4, and ip6tables handles filtering for IPv6. I strongly recommend that you first read our quick tutorial that explains how to configure a host-based firewall called Netfilter (iptables) under CentOS / RHEL / Fedora / Redhat Enterprise Linux. This post list most common iptables solutions required by a new Linux user to secure his or her Linux operating system from intruders.

Via Linux: 20 Iptables Examples For New SysAdmins.

Transparent web proxy – DD-WRT Wiki

Running a transparent proxy server on your network can be used for more advanced content filtering of web pages for environments such as a school or library (where in some locales, filtering is required by law) or as a way to protect children in the household.

This guide will help you enable a transparent proxy server on your network by having your WRT54G router forward all traffic to the proxy server automatically.

via Transparent web proxy – DD-WRT Wiki.

Example of a full nat solution with QoS

Here I’m describing a common set up where we have lots of users in a private network connected to the Internet trough a Linux router with a public ip address that is doing network address translation (NAT). I use this QoS setup to give access to the Internet to 198 users in a university dorm, in which I live and I’m netadmin of. The users here do heavy use of peer to peer programs, so proper traffic control is a must. I hope this serves as a practical example for all interested lartc readers.

Via Example of a full nat solution with QoS.